Posted
by
Soulskill
on Wednesday May 18, 2011 @01:51PM
from the we'll-get-right-on-that dept.

angry tapir writes "With cybercrime now the second largest criminal activity in the world, measures such as the creation of an 'Internet Interpol' and better cooperation between international law enforcement agencies are needed if criminals are to be curtailed in the future, Kaspersky Labs founder and security expert Eugene Kaspersky has argued. He said, 'We were talking about that 10 years ago and almost nothing has happened. Sooner or later we will have one. I am also talking about Internet passports and having an online ID. Some countries are introducing this idea, so maybe in 15 years we will all have it.'"

what are you talking about? The "internet ID" and "internet passport" become items of intense personal value that must be protected. The stakes will be even higher to protect your papers under a "papers, please." internet.

we all lose privacy so that the fucktards can pretend they're a little bit 'safer' from their own idiocy.

fuck 'internet passports' and 'online ids'. it's time for citizens to quit being chickenshits or eventually everything you do will be tracked back to this. this is different than the past because electronic surveillance completely erodes the natural privacy one has in the physical world. I don't want my every click, every download, every page hit recorded for some bored cop to puruse 20 years after the

>Then make it illegalYeah. We could even add a constitutional amendment! Something like:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Trouble is...we HAD a nice 4th amendment in the US constitution, however, the Supreme Court just kind fscked us on this one a day or two ago.

I'm worried when they can blow off the constitution so readily...if they can do that, well, they'll certainly NOT have a 2nd thought about blowing off an internet mandate about using info collected from it....if the tool is there, the authorities WILL abuse it at some time in the future.

Their track record shows this....over and over again.

Remember how RICO was only supposed to be used to go after the mafia? Hmm...well, its being used in new and creative ways all the time.

If they can now kick down your door without a warrant just because they hear some (non-threatening sounds) and smell weed outside a bunch of apt. doors...they'll have no compunction about tracking your ass down by forced internet ID marked transactions, why wait for using it for criminal investigation, just continuously fishing for information on everyone...someone will slip and we'll get them, even if we have to change the laws and go after them retroactively.

In the same vein, the Indiana Supreme Court ruled on Friday that its citizens have no right to resist even unlawful police entry [nwitimes.com] into their homes.

"We believe... a right to resist an unlawful police entry into a home is against public policy and is incompatible with modern Fourth Amendment jurisprudence," [Justice] David said, [writing for the 3-2 majority].

In terms of "kicking off the 2nd American Revolutionary War", I think folks at Waco, Texas and Ruby Ridge certainly did plenty to try and get that going earlier. Neither one worked out all that well for those who tried to fight the system through the force of arms.

I do hope that reason and sanity can prevail, and make sure that you use the four boxes of freedom in the order they were indended:

The four boxes of freedom: Soap, Ballot, Jury, and Ammo. Please use them in that order. I keep hoping that the B

Are you that naive? governments make exceptions to due process all the time.. even laws that are well drafted, honed, and focused to begin with get their scopes widened over time by opportunistic politicians selling out to law enforcement and economic lobbies.

I'm not sure there's anything I can say to that other than to open your eyes and have a look around at what's going on in this world. Hypocrites abound man.. law is only as good as the ethics of those who write and those who enforce..and their track records these days are pretty shitty.

You could, but that wouldn't necessarily stop them. They might even alter the law later. I'd rather not ever give them this ability in the first place to minimize the risks. Sure, it might be more difficult to catch these 'criminals', but that is how it should be, in my opinion.

That's true. They can do it. But they should not be able to. They shouldn't even have the tools to do so as far as I'm concerned (to minimize the number of mistakes and malicious behavior, which can be hidden at times). That is the problem.

The police are your avatar in the world of crime-fighting. You need to give them the ability to beat the criminals, or there will be no point, and you will have to have your own weapons and take your own personal risk. The criminals will have whatever tools they wish.

Arm the police better than the criminals, then prohibit them from using those weapons on anyone other than criminals. If the police develop a culture of ignoring that prohibition, that's because you failed to do your due diligence in managin

It isn't the cops you should be worried about. Everything thing you do online has value to someone. It will provide them valuable market information. The fact that you don't click on the CNN link but do click on the Stormfront link is saleable to someone. The fact that you sort things in a list of items on Amazon by "best selling" rather than "lowest price" is worth something.

Now maybe individually these actions aren't worth much, but if a company can assemble many people's habits and actions together and offer them as a package so that trend analysis and forecasting can be done... well, how much do you think Google was able to sell the brands of the routers actually be used in Chicago for? Better yet, how much do you think the brand names of routers in Highland Park (an affluent suburb) vs. brand names of routers in Wheeling (a mostly low-income suburb with trailer parks) is worth to DLink or Belkin?

This information is going to be collected and sold and there is nothing anyone can do about it.

I think a lot of people are arguing against a false dilemma here. Some people would suggest *not* giving up privacy but would welcome a more unified front from law enforcement.

As it stands now, most cyber 'crime' is only a crime in the technical sense of the world. Call the police when your computer gets hacked and see how seriously the pursue it. Unless you are a large company, dealing with millions of dollars or customer information absolutely nothing will come of it. And that's 10X true when the crim

They'd like that -- if we were all thinking of the children it'd *waaaaaay* easier to bust us for child porn. How about you and your pervert buddies just stop thinking about the children and have a seat, while I call in Chris Hansen...

As someone who's livelihood comes from the prosecution of child porn, you have no idea.

First off, child porn is something that can be prosecuted. The botnet creator in Romania cannot be prosecuted and is actively being protected by their government. No point in trying to go after them.

Then there are the credit card theives. They get your number and use it and you have to... cancel the card. Well, because you're not out anything, the merchant has insurance and the credit card companies don't want to pro

Too bad you posted anonymously (though I understand why you did), as some may miss this post. Until we get everyone on the same page as to who should be prosecuted, it's just going to be too easy to hide.

These are good points, and they were brought up a year ago when Dan Molina from Kaspersky Labs gave his BSides Denver 2010 presentation on just this subject. The heckling was so harsh I felt a little bad for the guy, but it looks like the company decided to push the idea anyway.

This could all have been mooted if in the original design of IPv4 it weren't made so easy to spoof. That same lackadaisical attitude spread to mail paths and DNS.

The fact is, in order to get data from point A to point B there is a necessary uniqueness to the identification of A and B. If that had been concretized rather than left flapping in the wind, while still allowing for mobility, then your packets would be your packets with 100% certainty.

you want the rest of us to give up privacy AND take on the mantle of defending an online id that will automatically be considered legitimate by governmental bureaucracies just so you don't have a large spam folder? Wow..

Right now, any safety we have online is the fact that online ids are not taken seriously..

A government issued ID hardly violates my privacy. Mine sits at home, since I only have to show it in very specific occasions, and most aren't logged. It's completely different from having an identifiable address that everyone can see and log.

It would be like having a name plate with your SSN when you walk around.

I suppose you're also in favor of the mandatory name tags at all times, since anyone could be carrying a knife in their pockets and stab someone.Maybe we should also put body and retina scanners at every building entrance? Security above all!

A PC is nothing like a car. A rootkit doesn't kill or harm physically anyone - if it can, it's the attacked machine's owner at fault, since you should never connected such machines to the Internet.Privacy is a condition sine qua non for political freedom and the occasio

if roads were all we were paying for, we wouldn't be trillions in debt. there's no reason to tag people's cars unless you want to track where they go and grief them while driving...you know, to bring in more money to the bloated state.

Instead of continually beating our heads on securing systems and people, let's remove the profit motive. If we fundamentally change how financial transactions are executed, security will becomes less of a problem.

Get the requirements for security out of Windows, and put it into trusted bank-issued smart cards. Separate authentication from authorization from identification. Build system that humans can manually verify without a Windows box being the portal through which this verification happens.

If I say "My name is John", that's identification. Identification can be public or private. Authentication is the proof between two parties that my identification is valid. In other words, during the course of a transaction you can learn that my identity is John, and that my account number is 123, but you shouldn't be able to use that knowledge to prove to someone else that you're John or charge a purchase against account # 123. Requiring separate authentication would eliminate identity theft.

This is how the IBM ZTIC works, although it essentially shows up a confirmation "you seriously want to move $25,000 of your cash from checking to Elbonia?"

Realistically, the best solution may be an app for the phone. You get a one time key from the app on the phone, use that to log in on the PC, then use the phone to confirm transactions. For a blackhat to get access to the account fully, they would need to compromise both the PC (so they can log in), as well as the cellphone (to approve an

The smart phone's task is to be a separate authentication device. A SecurID card also works, or a ZTIC-like device can handle authentication and confirmations.

The reason I was mentioning a smart phone is that they are becoming quite common, and have the functionality as a computer. So, having the ability to use that device as opposed to having a dedicated dongle for access would save money and hassle for most people.

You are right, lose the device, and lose access to the account. However, places like eBay

The problem with the phone is that it becomes a target, and it's on the network. If I want to start stealing, I just have to hack your phone. Convince you to download my "facepalm" app and it infects your payment app, or it paints a fake payment app picture. We shouldn't keep trying to trust these devices.

We're already in the boat of "something is better than nothing" and all we've got is water up to our knees making an incoherent mess.

I would say that app security on phones is light years ahead of security on general computers.

For example, Android. A malicious app can install with a lot of permissions, but if it wants to get into the banking app's files, it will require breaking out of the Dalvik VM, rooting the phone, then trying to find a way to pull the data encryption key from the context of the other application.

iOS has similar security. A malicious app would have to figure out how to get out of the BSD jail, get root, find the en

You're still thinking "old school" security, which is only slightly better than what we have today. We need a radically different approach, one that removes the motivation to hack by removing the value-carrying-apps from the network. Attacks will always be made on any point that has a presence on the network. Put payments on the phone, and phones become a target. Weird, crazy impersonation attacks that seem highly improbable today would become the XSS of tomorrow's hackers. We need a real difference in

1. This may be an advantage, because they can have custom-built devices that exactly meet their specific needs. The device itself is quite simple, and it only needs to provide a trusted display and keyboard. The only trust in it a user really needs is to know that it's not skimming their PIN, and it's displaying exactly what it's supposed to display. The crypto all happens in their bank card's chip.

2. Agreed that homogeneity is bad (look at Windows) but it's worked for 10 years for RSA tokens. Sealed,

That is similar to how the ZTIC system from IBM works. The only weakness in that is the fact that a blackhat can capture your authentication token (the cookie the bank uses, SSL state, etc.) Then while you are looking at your statements, the Web browser is actually making some bank transfers to Elbonia without showing you.

With the ZTIC, as it has a completely separate, secure connection to the bank, it will show you the transactions before allowing approving, so someone trying to pull money from the accou

The way you described it there may be one exploitable flaw: you said it shows you the destination bank account. That's ideal for online banking, but it would be useless to go shopping with: I don't know the bank account number of the store. I only know the store's name. I'd need to confirm on the device that the store I'm paying is HOME DEPOT, and not "account 12345"; just because the web site says "This is HOME DEPOT and our account #

Would work on any device from a mobile phone through to that shiny new 100" plasma TV you bought (the one with the inbuilt web browser)

No I dont have any connection to these guys, I just think their product is a brilliant idea and it could eliminate phishing almost entirely with far less cost to the banks than any of the electronic devices (SecurID, little calculators to generate special hashes etc) currently

Wow, I'm afraid I have to conclude this guys is possibly a little too full of himself.

If we ever get anywhere near a "single secure cyberspace", we're pretty much all screwed.

Governments will use this to stifle your privacy, your rights, and every other thing they can think of. They'll make sure they monitor everything you do, and ensure you don't do anything they don't approve of.

Anybody who thinks the solution to cybercrime is to more or less lock down the internet like this... well, I think they deserve a series of well placed kicks to the groin. I can only see this as more or less fascism -- though I'm sure I'll be accused of hyperbole.

I understand his concern, especially after Kaspersky son's kidnapping, but this would erode online privacy to say the least.

'described himself as an “optimistic paranoid” when it came to online security'
I guess an optimistic paranoid is hoping that the next security technology is better than the one before, but never really trusting anything or anyone.

In the idiot-filled corporate world it is the job of people like Kaspersky to scare empty-headed CEOs and Congrespeople by puffing themselves up as an "expert" and making wild predictions and promises in the hope of getting some money for products that will work marginally at best. He's just doing his job... so hate the system AND the idiots behind it.

I guess an optimistic paranoid is hoping that the next security technology is better than the one before, but never really trusting anything or anyone.

There are numerous unknown enemies out there trying to get me, and my known enemies (such as the merger of govt and big business being given 1984 style tools of oppression) would of course do awful things, but its always possible to optimistically define something worse that isn't (yet) happening.

That's what interpol's job is supposed to do in the first place in all forms. Coordinate police dept's and services around the world. The real problem isn't so much that police don't talk, it's that the governments don't give them the resources to deal with internet related crime. In Canada, financial crimes under $200k are done on a case by case basis, by local dept's or by the provincial police, if there's enough officers available to take them off traditional crimes. Financial crimes over $250k are looked at only by the RCMP, and the RCMP will not take any case under $200k due to the lack of manpower and resources. And financial crimes under $40k are pretty much written off unless there are officers available. That's not even touching on the training.

It's a sad state, but the problem is three fold. First people don't think you need more police. The average citizen to cop ratio is between 100:1 and 750:1, though in some parts of the US it's 4000:1. Second, while a lot of younger cops(that's under 40 as the average age here is around 45), see this as an issue but not a pressing one(too much traditional crime, and staff sgt's who have too few resources, or too few inspectors for the job and are on other cases). Third, politics and bureaucratic BS. There are either weak laws, no laws, a mishmash of laws, or politicians and chiefs stuck in 30-40 year old thinking.

No, the big issue is that Russia, China and a handful of other nations don't prosecute those crimes unless they take place completely on their soil. As long as some nations out there don't prosecute suspected crackers, there's unlikely to ever be much changed.

On top of that, in the US we failed to prosecute the corporations that were benefiting from spam while turning a blind eye to how the messages were being sent. It would be naive to say the least of them not to put two and two together when spam message

Anything that is "local" is going to be up to the local police with no knowledge of how to deal with an "Internet crime". That means any crime that involves use of the Internet at all - like a bank robber sending an email saying "give me all your money or I will kill people."

Anything that crosses international borders requires a great deal of cooperation and a great deal of interest. Frankly, most 2nd-world governments think they have much better things to do than prevent 1st-worlders from getting defraud

We were talking about that 10 years ago and almost nothing has happened. Sooner or later we will have one.

Nothing has happened because we the fucking people don't want it to happen. We the Geeks responsible for implementing these BS control-freak fantasies for Big Brother don't want it to happen. We the citizens of a planet rapidly coming to recognize the meaninglessness of national borders don't want our rights to depend on those available in the most restrictive theocratic dictatorship on the planet.

Nothing will happen because, for all its flaws, we designed the internet to survive government attempts to control it.

I used to believe that latter part, but today I'm not so sure.. Unfortunately voting doesn't take into account relative intelligence and wisdom. Thus, the drooling head babbling soccer moms beat out the geeks every time. As far as implementation goes, there are always a few sellouts.

Ban the use of credit cards for online purchases and replace then with some kind of digital currency, something like is used in Second Life. You transfer funds into this account and use it for online transactions and then transfer funds back out of it into your bank account.

"With cybercrime now the second largest criminal activity in the world, measures such as the creation of an 'Internet Interpol'

We don't need an 'Internet Interpol', what we need is computers that aren't so easily hacked..

Yea, that's the job of the primary economy, and you're right we are getting screwed. I notice you have nothing to say about the ability to steal product online with nothing more secure than a sequence of digits, the same ones printed on the front of the card. A bit like giving away a make-your-own-money-kit with ever desktop computer.

Why do I get the feeling that large American and European corporations will be the ones to benefit most from this "international law enforcement"?

And the citizens of pretty much everywhere will be the ones who lose the most.

The democracies will become even more like surveillance societies. The places with questionable human rights records will be sold this stuff so they can further control their people (by companies who only care about the bottom line). And, the outright dictators will think it's just gra

Yes, clearly the guy who want to KGB funded school and then worked in a KGB funded research lab has NOTHING to do with KGB. If you even read the Guardian correction, they don't actually say what they said is wrong, just that it was a mistake to say it (compare the wishy washy wording in that correction to the far more definite wording in the following two corrections).

Last time I checked, the majority of the criminal activity on the internet was perpetrated by Governments... what good would creating an international agency to patrol criminal activity when it would have to report to the criminals themselves?

Some of us might recall that, back in the Seventies, before they started the CB Radio Interpol, people were using those things for thumbing their noses at highway speed limits en masse—not to mention for arranging from time to time to score weed, speed, or dirty deeds.

Thank goodness the authorities acted quickly in that case, and were able to nip the thing in the bud!

Is a system so secure and able to identify you, that it CANNOT allow for crimes to be committed.

Reasonable security is good. But we want a system that NEEDS the will of the governed. If people are treated fairly -- and there is a system in place where Identity can MANUALLY be ascertained, than real security is through the GOOD WILL of the people.

Also, you need people who react, rather than waiting for some authority to come by -- but that's another discussion.

Or even worse, the dictators would have a monitoring service that just would scan for keywords. If one of their subjects states too much stuff or passes a threshold, the program sends a memo to a secret police to make the person disappear, perhaps if the threshold of "revolution speech" is high enough, the person's family disappears too.

Can you picture someone like Stalin or Pol Pot with this ability to monitor technology in their nation? Even outside their nation, they can find who dislikes their country

the only reason the botnets are a threat is because the organizations they attack are used to having big daddy government protect them from everyone else. they don't want to take on the time and expense of designing better systems.. they buy shitty middleware and get hacked, and they think ink on paper is going to protect them.. the single best way to mitigate the botnet problem is to take windows off the market, but of course that'll never happen.

why? it's not that other os's don't have flaws, it's that windows is straddled with use-interface expectations that are not compatible with even basic security (user processes kept separate from base system). yes windows has the capability, but the software infrastructure that supports the os does not tolerate it well. the OOTB security configuration is a joke as well,.. all it does is annoy the user into turning them off. governments and their agencies (and banks and corporations) use windows everywhere.